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We derive a proof of security for the Differential Phase Shift Quantum Key Distribution (DP- 
SQKD) protocol under the assumption that Eve is restricted to individual attacks. The security 
proof is derived by bounding the average collision probability, which leads directly to a bound on 
Eve's mutual information on the final key. The security proof applies to realistic sources based 
on pulsed coherent light. We then compare individual attacks to sequential attacks and show that 
individual attacks are more powerful. 

PACS numbers: Valid PACS appear here 



I. INTRODUCTION 

The goal of quantum cryptography is to exchange an 
unconditionally secure secret key over a potentially hos- 
tile environment. To date, a variety of protocols have 
been proposed to accomplish this goal. The first of 
these protocols was originally proposed by Bennett and 
Brassard (BB84) Q. Since that ground-breaking re- 
sult, a variety of additional protocols have been pro- 
posed 0, IE 0, IE j with varying advantages and dis- 
advantages. 

One of the more recent protocols is known as Differen- 
tial Phase Shift Quantum Key Distribution (DPSQKD 
for short) 0. This protocol appears to have several im- 
portant advantages which make it extremely promising 
for practical systems. First, DPSQKD can be easily im- 
plemented in optical fibers using readily available optical 
telecommunication tools. Second, there is good indica- 
tion that DPSQKD is largely insensitive to multiphoton 
states generated by the source, as opposed to other pro- 
tocols such as BB84. This allows the communicating par- 
ties to transmit much brighter coherent states, leading to 
higher communication rates and longer communication 
distances. 

To date, all security statements about DPSQKD have 
been based on considering only very restricted types of 
eavesdropping attacks, such as intercept and resend or in- 
serting a beamsplitter. This leads to the possibility that 
more sophisticated attacks based on generalized quantum 
measurements may exist which could potentially nullify 
many of the advantages of DPSQKD. Thus, it is impor- 
tant to have a security proof for this protocol which works 
for a more general class of attacks. Furthermore, because 
robustness to photon splitting attacks is one of the main 



features of this protocol, it is important that the proof 
of security includes these types of attacks. 

The most general attacks that one may consider in 
quantum cryptography are known as coherent or joint 
attacks. In these types of attacks Eve treats the entire 
key as a single quantum system, which is entangled with 
a probe state. The probe is only measured after all clas- 
sical information is exchanged. Coherent attacks allow 
Eve to take advantage of correlations induced by clas- 
sical information exchanged during error correction and 
privacy amplification. The proof of security against co- 
herent attacks is extremely difficult. To date, there are 
several proofs of security for the BB84 protocol against 
these most general types of attacks [E 0- A general 
securi ty p roof for the B92 Q protocol has also been de- 
rived |lOj| . In order to make the problem more tractable, 
one often restricts eavesdropping to individual attacks. 
In these types of attacks, it is assumed that Eve attaches 
an independent probe to each photon, and then mea- 
sures the probes independently. The security of BB84 
against individual attacks has been investigated in sev- 
eral works d The security of the B92 proto- 
col against individual attacks has also been proven [l4| . 
The restriction to individual attacks is often considered 
a realistic assumption because the capability to perform 
joint attacks is well beyond the domain of modern tech- 
nology. Such attacks would require that an eavesdropper 
possess a probe of extremely large dimensionality (on the 
order of the length of the string) with indefinite coher- 
ence time, and process the probe states with a quantum 
computer. Even individual attacks require a degree of 
quantum computational power which seems out of reach 
for the foreseeable future. 

In this paper, we derive a proof of security for DP- 
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FIG. 1: A basic DPSQKD system. 



SQKD against individual attacks. The proof applies 
to realistic sources based on attenuated lasers, and ac- 
counts for the poisson nature of the photon statistics in- 
jected into the channel. Security is proved by deriving 
a bound on Eve's average collision probability, which di- 
rectly leads to a bound on her mutual information for the 
final key We use this result to calculate the commu- 
nication rate of DPSQKD in the limit of large strings. We 
then compare this rate to that of BB84 using both single 
photon sources and poisson light sources. We show that 
DPSQKD achieves rates very close to BB84 with an ideal 
single photon source, and significantly outperforms BB84 
with poisson light. This is an important result because 
DPSQKD requires only attenuated laser light and linear 
optics, in contrast to single photon sources which are dif- 
ficult to implement. In the final section of this paper, 
we consider another type of eavesdropping attack known 
as a sequential attack. These types of attacks are not 
individual attacks, so they are not accounted for by our 
proof of security. However, they are conceptually simple 
and have raised a level of concern regarding the secu- 
rity of DPSQKD. We calculate the communication rate 
against these types of attacks and compare it to the rate 
for individual attacks. It turns out that in our parameter 
range of interest, the communication rate for individual 
attacks is always lower than sequential attacks. Thus 
security against individual attacks automatically implies 
security against sequential attacks. 



II. DIFFERENTIAL PHASE SHIFT QKD 

Figure n shows the basic idea behind DPSQKD. Al- 
ice prepares a periodic train of attenuated laser pulses 
whose phase is randomly modulated to be or ir. The 
coherent pulses are sent down the quantum channel and 
received by Bob, who measures them using an unbal- 
anced interferometer which combines the partial wave at 
time slot n with time slot n + 1 on a beamsplitter. If the 
phase difference between these two pulses is 0, a detec- 
tion event will only occur in detector DO. Similarly, if the 
phase difference is ±7r, detection events will only occur 
in detector Dl. Bob records the detection events and the 
times they occurred at. Once the quantum communica- 
tion is done, Bob announces at which times he detected a 
photon. This information allows Eve to determine Bob's 
string based on her knowledge of the phase differences. 
Error correction and privacy amplification can then be 
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FIG. 2: Schematic of intercept-resend and beamsplitter eaves- 
dropping strategies. 



performed on the sifted key to create the final secure 
key. 

To get an idea as to why this protocol is secure, lets 
consider some simple attacks Eve might try to perform. 
Two basic attacks are shown in Figure [3 The first at- 
tack is an intercept and resend strategy, in which Eve 
uses the same type of interferometer as Bob. When Eve 
gets a detection event time t m , she learns the phase dif- 
ference between the pulses at time t m and t m+ \ . She then 
prepares a pair of pulses with the measured phase differ- 
ence and sends them to Bob. If Bob detects a photon at 
time t m , then Eve has successfully stolen a bit without 
inducing errors. However, if a detection instead occurs 
at times i m +i or t m _i, then Bob will observe a 50% er- 
ror rate, and Eve will have no knowledge about that bit 
of the key. This strategy therefore induces a 25% over- 
all error rate which can be detected by Alice and Bob, 
revealing Eve's presence. 

In the second strategy, Eve inserts a beamsplitter into 
the channel to pull of a fraction of the light. This split 
off fraction is then measured by an unbalanced interfer- 
ometer, while the remainder is sent to Bob. We assume 
Eve posses a lossless channel with which she can trans- 
mit the un-split photons to Bob. This allows her to split 
off a fraction of the photons equal to the channel loss 
without modifying the communication rate. Because co- 
herent states are being used, Eve's detection events are 
independent of Bob's. Thus, the probability that Eve 
knows the value of a bit at time m given Bob detected a 
photon at that time, denoted p e (m), is simply given by 



Ps P iit{rn) = n(l-rj) 



(1) 



where n is the average number of photons per pulse. For 
small values of n, this attack provides little information 
about the sifted key. If Eve delays her measurement and 
uses an optical switch, she can improve the attack a factor 
of 2. 
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III. PHOTON SPLITTING IN DPSQKD 

In this section we lay the groundwork for the proof of 
security. We start by giving a mathematical description 
of individual attacks. We then investigate photon split- 
ting attacks in DPSQKD. The state prepared by Alice, 
denote \ip), is a set of consecutive coherent state pulses. 
The phase shift <f> n is the phase induced by the phase 
modulator on pulse n. This phase can take on the values 
and 7r. If Alice transmits N coherent pulses, we have 



N-l 



n=0 



(2) 



where cj) is the initial phase of the coherent state. We 
define the bosonic operator 'ip' as 



N-l 

VA f-£ 



e a„ 



(3) 



where ajj is the creation operator for a photon in time 
slot n. Assuming that the time slots do not overlap, these 
different operators commute with each other. Thus, the 
state in Eq. [21 can be re- written as 



oo C^tV 

i^)=Ev / ni)^^ 7 f io) 



(4) 



where P(j) is a poisson distribution with average photon 
number An, and h = \a\ 2 . A fundamental assumption 
of the DPSQKD protocol is that Eve does not possess a 
phase reference. Because of this, the above state should 
be averaged out over the different values of the phase <fi, 
resulting in the mixed state 



X>(j)i^><^ 



(5) 



where = (ifj ) J / V / J^|0). With no loss of generality, 
Eve can measure the photon number using a state pre- 
serving quantum non-demolition (QND) measurement. 
She can then split off NnT of the photons, where T is 
the transmission efficiency of the channel, and send them 
to Bob, while storing Nn(l~T) photons coherently to be 
measured after Alice and Bob have revealed all classical 
information. 

There are now two components of the eavesdropping 
strategy which must be addressed. The first is how 
much information can be extracted from the split pho- 
tons. This component is analogous to the information 
obtained from photon splitting attacks in BB84. Second, 
in the presence of channel noise Eve can potentially at- 
tack the fraction of the key that she transmits to Bob 
by entangling it with a probe state. This part of the 
eavesdropping attack is analogous to the general POVM 
attacks on single photon states. We will investigate the 



split photon component first, and then the generalizes 
POVM on the transmitted photons. 

Our analysis makes an auxiliary assumption that Eve 
attacks each photon individually. For the photons that 
are transmitted to Bob, each one is individually split and 
attached to an independent probe. The probes are then 
independently measured after all classical communica- 
tion is received. The split photons are also individually 
stored and measured. The individual attacks assumption 
implies that Eve cannot use the measurement results of 
one photon to refine her measurement on the rest of the 
photons. Thus, if Eve has split off k photons, she has k 
copies of the state -0^ 1 0) . Eve stores these k copies co- 
herently until all public information is revealed. After 
the quantum transmission is done, Bob will publicly an- 
nounce the time slots in which he had a detection event. 
Let B be the set of all time slots in which a detection 
event was observed, and B be the set of all other time 
slots. The operator ip' can be re-written as 



t _ 



f 



m+1 



|0) 



(6) 

For each time slot in B, Eve can perform the following 
unitary transformation 



i f -» — (fit + i 1 ) 



V2 



(6L - iy 



(7) 

(8) 



where 6^ and v m are orthogonal modes. There is no 
loss of generality in assuming this transformation is per- 
formed, because it is unitary and simply represents a 
transformation of the measurement basis. If measure- 
ment basis \E) is optimal for the state in Eq. El then the 
basis U^\E) is now optimal after the unitary transforma- 
tion U is applied. The state of each split photon is now 
given by 



t _ 



1 



meB 



neB 



(9) 



where x\ is 6\ if Alice sent a binary 0, and i J if Alice sent 
1. Thus, Eve's split photons are in a linear superposition 
of all the bits of the secret key, plus the irrelevant time 
slots where no photon was detected. However, because 
Eve does not know the phases <p m , her state is in fact a 
mixture of the different values of <p m . Specifically, 
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In the above equation \x m ) = i.tjO) and |n) = a+ 10). 
The phases <pi are summed over the possible values 
of and 7r, which have equal probability so that 
p(4>i, . ■ ■ , <f>k) — l/2 fc . From Eq. EH we see that Eve's 
state is in fact a random mixture of orthogonal states. 
This turns the problem into one of classical probability 
theory instead of quantum measurement. That is, if Bob 
recorded y detection events, each split photon will reveal 
a bit of Eve's key with probability 2y/N, and will reveal 
no information at all with probability 1 — 2y/N. 

Let us define T as the channel transmission and n as 
the average number of photons per pulse. After N pulses, 
Bob will observe on average NnT detection events. As- 
suming Eve has possession of a lossless channel, she must 
transmit NnT photons to Bob, and can split off the re- 
mainder Nn(l — T) photons to be stored coherently. Af- 
ter Bob reveals the time slots of his detection events, Eve 
can measure her split photons, in which case she learns 
2Nn 2 T(l — T). Thus, from the split photons Eve learns 
a fraction 2n{l — T) « 2fi of the sifted key. If n = 0.1, 
Eve learns only 20% of the final key. 

The most important aspect of the above conclusion is 
that, in contrast to BB84, the amount of information Eve 
obtains from photon splitting attacks is independent of 
channel loss. In BB84, as the channel losses get larger 
Eve can preferentially transmit multi-photon states and 
block off an appropriate fraction of the single photon 
states to conserve the overall communication rate. As 
the channel loss becomes larger, this type of attack gives 
her complete information over an increasingly larger frac- 
tion of the key. This results in a final communication rate 
which is roughly a quadratic function of channel loss, and 
hence decreases very quickly. In contrast, in DPSQKD 
the fraction of the final key that is revealed is only a 
function of n. This leads to a communication rate which 
decreases only linearly with channel loss, indicating ro- 
bustness against photon splitting attacks. 



IV. PROOF OF SECURITY 

In the previous section we showed that due to photon 
splitting, Eve obtains complete information over a frac- 
tion 2n of the key. When n is small, photon splitting 
attacks are largely ineffective. However, in the presence 
of channel noise Eve can also attack the photons that 
she transmits to Bob by entangling them with a probe 
state, and then measuring the probe after all classical 
information has been revealed. 

Because we restrict our attention to individual attacks, 
it is assumed that Eve attaches an independent probe to 
each photon, and these probes are all measured indepen- 
dently. The goal of a proof of security is to come up with 
a bound for the average collision probability , defined 
as 

P c = p 2 (X = x\Z = z,M = m)p(z,m) (11) 

x,z,m 



where X is the key Alice transmitted to Bob, Z is the in- 
formation Eve obtained from measuring the photon, and 
M is the set of time slots in which Bob detected a photon, 
which is also known to Eve. For the case of individual 
attacks, bit i originated from one photon which is cor- 
related to an independent probe state Zi, as well as Mi 
which is the time of the detection. In this case, the col- 
lision probability simplifies to a product of the collision 
probabilities of each individual bit [ly. Thus, 

p c =n pc ° ( i2 ) 

i 

where 

Pcq = P 2 ( x i =x\Zi = z, Mi = m)p(Zi = z, Mi = m) 

x,z,m 

(13) 

If bit i occurred in a time slot where Eve has obtained 
its value due to photon splitting, then Pci = 1. Let S 
be the set of all bits that occurred in time slots which do 
not coincide with a photon splitting measurement. We 
now have 

Pc = \[Pc a (14) 

We adopt a simplified notation such that P(Xi = x\Zi = 
z,Mi = m) = p(x\z,m), and use similar notation for all 
other probability distributions. In appendix lAl we show 
that the expression in Eq. 1131 can be re- written as 

^ , , / 1 ^ p(z,m\0)p(z,m\l) \ 
Pco = $>M ^1 - _ £ — ( — ) j 

(15) 

where and 1 are the possible values of the bit Alice 
transmitted. 

We now develop a mathematical formalism for all pos- 
sible measurements Eve can perform. We define \Ei) as 
the initial state of Eve's hilbert space. We do not as- 
sume anything about the dimensionality of this space. 
The initial state of a photon-probe system is given by 

* n 

where |n) is one again defined as aJjO) and represents a 
photon in time slot n. The most general unitary trans- 
formation Eve can apply to the system is described by 

\n)\Ei) ^J2\ m )\ E n,m) (17) 

m 

where \E n>m ) are states in Eve's Hilbert space and are 
not assumed to be normalized or orthogonal. Plugging 
the above relation back into Eq. 1161 and rearranging the 
summation we obtain 

" m n 
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After Bob's interferometer, the state is once again trans- not depend on </> m since this information is unavailable, 
formed into We define the number E nm (z) = (z\ E nm ). Without 

^ loss of generality we can assume this to be a real num- 

|*) = — ■= [(\J m ) + \J m +i)) |0 m > + (\J m ) - \ Jm+t)) |lm^ cr - Wc do not nccd to introduce complex numbers in 
2V-ZV _ this case because a probe state with a complex proba- 

bility amplitude can always be replaced by a probe of 
higher dimensionality with real probability amplitudes 
which performs at least as well We also define the 
following expressions: 



(19) 

where |0 m ) and |l m ) represent a photon in the output 
ports of Bob's interferometer which correspond to a bi- 
nary or 1 at time m. 

In appendix El it is shown that the probability of an 
error given Bob detected a photon at time m is given by 
the expression 



Pe\r 
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{E m ,m+l\ -Em+l.m))] 



(20) 



Eve will measure her probe in the basis \z), which can- 



(z) = E 

in . in 

(z) + E m+hm (z) (21) 
P m {z) = E m>m (z) - E m+ i, m (z) (22) 

Qm+\{z) = E 1 (z) + B m +l,m+l (z) (23) 

P m +i(z) = E m ,m+x{z) — E m +i,m+i(z) (24) 

In appendix E] we show that the collision probability is 
given by the expression 



\Qm( Z ) + Qrn+l( z ) + En/m,m+l ^n,m + ^n,m+l) (^m( z ) + Em+l( z ) + En/m,m+l ^n,m + ^ra,m+lj 



V E 2 4- E 2 
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I 



From the above expressions, it is clear that E n-m (z) 
where n 7^ m — l,m, m+ 1 can only decrease Eve's 
collision probability while simultaneously increasing the 
error rate. Thus, we only need to consider the states 
\E m -i, m ),\E m ,m), and |2? m+1>m ). We relabel these states 
as \A m ), \B m ), and \ C m ) respectively. We similarly define 
A m (z) = (z\ Am), B m {z) = (z\ B m ), C m {z) = (z\ C m ). 
The probability of error is now given by 



Pe\r 



1 



2Np(m 



((B m \ B 



m+l) 



We also have the expression 



Q m (z) = B m (z)+C m (z) 

P m {z) = B m (z)-C m (z) 

Qm+i(z) = A m+1 (z) + B rn+1 (z) 

P m +i(z) = A m+1 (z) - B m+1 (z) 



A m +i)) 
(26) 

(27) 
(28) 
(29) 
(30) 



In appendix[Dlit is shown that the collision probability 
is upper bounded by 



Pen < 



l-—Y((Ar 



I A m ) + (C m +i| C TO +i) 



(Qm\ P-m) + (Qm+l \ P-m+l) 
■(Qm\ Pm+l) + (Qm+l\ Pn)) 



(31) 



In appendix El we show that there is always an optimal 
attacks which satisfies the property that the inner prod- 
uct of the vectors |A m ), \B m ), and \C m ) with any other 



vector from this set is independent of m. This directly 
implies that p(m) = 1/N and that the collision probabil- 
ity is independent of m. Thus, 

Pco < l-l^2((A \A ) + (C 1 \C 1 ) 



+ {Qo\Po) + {Qi\Pi) 
+ (Qo\ Pi) + (Qi\ Po)) 
1 - (B \ Br) - (Co| A x ) 



(32) 
(33) 



where e is the bit error rate of the transmission. We must 
now maximize Ea. 13 21 subject to the constraint in Ea. 1331 
This is done in appendix El where it is shown that 



Pc < 1 - e 2 - 



(1 - 6e) 2 



(34) 



The above a equation applies when the error rate is in 
the range [0,6/38]. The point e = 6/38 is the point at 
which the above equation is maximized. When the error 
rate exceeds this value the collision probability saturates. 
There is no attack which allows Eve to have complete 
information on the key. This is in contrast to BB84 where 
Eve can steal Alice's photons and send an uncorrelated 
photon to Bob. After the measurement basis is revealed, 
Eve learns the bit but simultaneously induces a 50% error 
rate. 

Plugging the expression in Ea. 1341 back into Eq.[2l we 
obtain the following expression for Eve's total collision 
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probability on the k bit string, 



Pc = Pc, 



fe(l-2n) 



(35) 



Using the methods of generalized privacy amplification, 
the length of the final key should be set to 



r = - log 2 Pc - 



(36) 



where k is the number of bits exchanged during error 
correction and s is a security parameter |T3 |. The final 
communication rate, defined as R = linifc-^oo r/k, is given 
by 



Rdps 



Pclick [-(l-2n) log 2 Pco(e) + f(e)h(e)] 

(37) 

In the above equation p c Uck is the probability Bob de- 
tects a photon, h(e) = — e log 2 e — (1 — e) log 2 (l — e), and 
/(e) is a function which characterizes how far above the 
Shannon limit the error correction algorithm is perform- 
ing (see |l7j). For error correction algorithms working 
in the Shannon limit, which is the ultimate performance 
limit of all error correction algorithms, we have /(e) = 1. 



V. COMPARISON OF DPSQKD TO BB84 

Having derived a bound on the average collision prob- 
ability in the previous section, we can now compare DP- 
SQKD to the BB84 protocol. A bound on the collision 
probability for the BB84 protocol for realistic sources 
against individual attacks has been previously derived 
in p"?! ]. In this work, the communication rate was shown 
to be 



R 



BB84 



where 



Pclick 

-f(e)h(e)] 
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Pclick Pm 
Pclick 



(38) 



(39) 



In the above expression, p m is the probability that the 
source emits a multi-photon state into the channel. 

Bob's detection events originate from two sources, the 
photons injected into the channel by Alice and dark 
counts in Bob's detector. We assume that both the sig- 
nal and dark count detection probabilities are small, so 
that multiple detection events can be ignored. Thus, 



PcUck — nT + d 



(40) 



where n is the average number of photons injected into 
the channel, T is the channel transmission, and d is the 
detector dark count rate. The error rate e is given by the 
expression 



^Pdick + d/2 



Pclick 



(41) 
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FIG. 3: Communication rate vs. channel loss for DPSQKD 
and BB84. 



where \i is the baseline error rate of the system due to im- 
perfections in state preparation, channel induced noise, 
and imperfect detection apparatus. 

We compare DPSQKD to BB84 using both a Poisson 
photon source and ideal single photon source. For pois- 
son light sources, n is freely adjustable and p m < n 2 /2. 
In contrast, an ideal single photon source is characterized 
by n = 1 and p m = 0. The detector dark count rate is 
an important parameter in the simulation. For telecom 
wavelengths, one of the most promising photon detec- 
tors is based on up-conversion of 1.5/1 photons to visible 
wavelengths, where t hey can be detected using conven- 
tional silicon APDs [Ig. Such detectors have already 
been used to experimentally demonstrate DPSQKD in 
the telecom wavelengths, allowing communication dis- 
tances over 100km of fiber [l^. The experimentally mea- 
sured dark count rate for these detectors is 10kHz per 
detector. The APDs have a temporal resolution of 0.5ns. 
If the signal is windowed to this resolution level, the dark 
count rate per pulse is 5 x 10~ 6 dark counts per detector. 
Since DPSQKD uses 2 detectors, the overall dark count 
rate is 10 -5 . In contrast, BB84 with passive modula- 
tion uses f° ur detectors giving a dark count rate of 
2 x 10 -5 . The baseline error rate is set to /i = 0.01. The 
parameter n is freely adjustable for BB84 with poisson 
light, as well as for DPSQKD. In the simulations, the 
value of n is numerically optimized for each value of the 
channel loss. 

The results of the simulation are shown in Fig. [3] The 
communication rate is plotted vs. the channel loss in 
units of dB. One can see that all three curves feature an 
exponential decay for a period of time, after which the 
communication rate quickly drops to 0. This sharp cut- 
off is caused by the dark counts in Bob's detectors. The 
curve for BB84 with poisson light decays as a faster ex- 
ponential than both DPSQKD and BB84 with an ideal 
single photon source. This is due to photon splitting at- 
tacks, which require us to lower n with increasing chan- 
nel loss. DPSQKD does not suffer from these types of 
attacks, therefore it follows more closely the curve for 
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BB84 with an ideal single photon source. This is a very 
important conclusion, because DPSQKD can be imple- 
mented with conventional lasers, detectors, and linear 
optics, in contrast to engineering of ideal single photon 
sources for BB84. 



VI. SEQUENTIAL ATTACKS 

In the previous two sections we investigated the secu- 
rity of DPSQKD against individual attacks. The funda- 
mental assumption in this analysis was that Eve mea- 
sures each photon independently, and does not use the 
measurement results of some of the photons to refine the 
measurement of the remaining photons. However, in DP- 
SQKD there are certain attacks which do not satisfy this 
assumption, but which are conceptually very simple. One 
such attack is the sequential attack. 

In a sequential attack, Eve uses a detection apparatus 
equivalent to Bob's setup, which she places in the quan- 
tum channel very close to Alice. Eve then waits for k 
consecutive clicks on her detection apparatus. Whenever 
such an event occurs, Eve can reconstruct a k + 1 time 
slot state. This states induces an error rate of 



1 



2(* + l) 



(42) 



Off course, the probability of observing k consecutive 
clicks decreases exponentially with k. If n is the aver- 
age number of photons per pulse, then the probability 
of k consecutive clicks is n k . This probability must be 
at least as large as Bob's detection probability in order 
for Eve to conserve the overall detection rate. Thus, we 
must have n k > fiT, which imposes an upper bound on 
k. 

The collision probability for sequential attacks is very 
easy to calculate. When Bob detects a photon in any 
time slot other than slot 1 or k + 2, Eve knows the value 
of Alice's key. This happens with probability k/(k + 1). 
If Bob detects a photon in slot 1 or k + 2, then Eve knows 
nothing about Alice's key, so her collision ptobability is 
1/2. If Eve performs M sequential attacks, her collision 
probability is given by 



P, 



1 



cQ 



2M/U+1 



From the condition n — nT we obtain that 



log. T + 1 



(43) 



(44) 



This condition ensures that there are enough sequen- 
tial clicks to conserve the communication rate. However, 
even if the number of sequential clicks is sufficient, Eve 
may not be able to perform an attack on every bit of the 
key, because she cannot exceed the natural system error 
rate which we define as e s . She can only perform a se- 
quential attack on a fraction e s /e seq of the bits, and must 
leave the remainder of the string undisturbed to conserve 




Channel Loss (dB) 



FIG. 4: Comparison of individual attacks to sequential at- 
tacks in DPSQKD. 



the error rate. Thus, if N is the number of bits in Alice's 
string, then 



M = — — = N(k + l)e s 

^seq 



(45) 



Plugging the above equation into Eq. 1431 and using 
Eq. 1361 we obtain the communication rate 

Rse q = Pciick [1 - 2e s (log fi T + 1) - f(e)h(e)] (46) 

We compare this communication rate to that of DP- 
SQKD calculated in the previous section. Using the same 
values for the dark count and error rate, we plot the 
communication rate for sequential attacks and individ- 
ual attacks in Fig.Q] For individual attacks, the average 
photon number n is once again optimized for each value 
of the channel loss. We then use the same optimal n to 
evaluate the rate for sequential attacks, so that we may 
compare the effectiveness of individual and sequential at- 
tacks under the same operating condition. One can see 
that the communication rate for individual attacks is al- 
ways lower than sequential attacks, indicating that in the 
operating regime we are considering it is more advanta- 
geous for Eve to perform individual instead of sequential 
attacks. This means that security against individual at- 
tacks already implies security against sequential attacks 
as well. 

Off course, we do not know if the sequential attack are 
optimal, or if a more clever scheme could produce better 
results for Eve. To answer this question, a more general 
proof of security is needed. 



VII. CONCLUSION 

In conclusion, we have derived a proof of security for 
DPSQKD with realistic sources against individual at- 
tacks. This proof allows us to directly calculate the com- 
munication rate after privacy amplification. We showed 
that, in contrast to BB84, DPSQKD does not suffer from 
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photon splitting attacks even when implemented with at- 
tenuated lasers. We compared the communication rate 
as a function of channel loss for DPSQKD to BB84 using 
both an attenuated laser and ideal single photon source. 
DPSQKD allows us to achieve communication rates close 
to BB84 with an ideal single photon source, making it an 
outstanding candidate for practical long distance quan- 
tum cryptography. We then compared individual attacks 
to sequential attacks in DPSQKD and showed that indi- 
vidual attacks are more powerful in our operating regime. 
Thus, security against individual attacks already ensures 
security against sequential attacks as well. 

Financial support for this work was provided by the 
MURI Center for photonic quantum information systems 
(ARO/ARDA Program DAAD19-03-1-0199), as well as 
a DCI fellowship. 



APPENDIX A: EXPRESSION FOR COLLISION 
PROBABILITY 



Here we derive the expression for the collision prob- 
ability given in Eq. ^j] We start with Eq. 1131 and use 
Bayes rule to rewrite it as 



Pc = E^ TO )E 



p 2 (z\0, m)p 2 (0\m) + p 2 (z\l, m)p 2 (l\m) 
p(z\m) 



(Al) 

By completing the square, we can re-write the above ex- 
pression as 



Pc = 5>(m) (l-2]T 

m \ z 



p(0)p(l)p(z , m\0)p(z, m\l) 
p(z, m)p(m)) 



(A2) 

Using the fact that p(0) = p(ir) = 1/2 directly leads to 
the result stated in Eq. ^] 



APPENDIX B: DERIVATION OF THE ERROR 
RATE 



In this section we show that Eve's attack strategy leads 
to an error rate given by Eq. [201 We start with the 
obvious relation p e . m = (p e ,m|o+Pe,m|i)/2- We define the 
states \M+) = \J m ) + \J m +i) and |M_) = \ J m ) - \J m+1 ). 
We define E t f >1 ,,, t f >k [A] as the average of expression A over 
the possible values of (f>\ . . . (pk- It is straightforward to 
show that 



PH = ^£*x...*» K M -\ M -) + ( M +\ M +)\ 



Now, 

Pe,m\0 = E Pe,m|O,0i,...,0 fc Yl 
4> 1 ,...,4> k jjtm+l 

- V V in. a 2- {k - 1] 

— re,m\0,4) 1 ,...,4> k ^ 

= 4/V E \Wn,m) — \E n ,m+l)\ 2 + 
I (\E m ,m) ~ \E m +l,rn + lj) + {\E m + 

The exact same argument leads to 

Pe.m\0 = Tjq E I \ E n,m) ~ \E n , m+1 ) \ 2 + 

I i\E m ^ m ) — \E m+ i „ l+ i)) — (\E m+ i m ) — \E m m+ i)) \ 2 
Using the above two expressions we have 



1 



p(m) ~ — ((E m . m \ E m+lim+1 ) 



+ (E m +l,m\ -EVn.m+l))] 



Dividing the above expression by p(m) directly leads to 
the expression in Eq. 1201 



APPENDIX C: EXPRESSION FOR COLLISION 
PROBABILITY 

Here we derive the expression in Eq. [23] We start with 
the expression in Eq. 1151 Using the same definition for 
E < f >1 ... < p k [A] that we did in appendix iBl we have 



p(z, m|0) 



[I (( Z \ J m) + (A Jm+l)) |0 m ) 

+ ((z\ J m )-(z\ J m +i))|l m )| 2 ] 

i r 2 

'^jy (^m,rn(-2 ; ) H~ -^m+l.ra) 
+ (Em,m+l(z) + -^m+l/m+l) 



E e2 



F 

n,rn ' n,m+l 



Similarly we can derive 

1 r 2 

p(z,m\l) = — y{E m , m (z) - E m+ i >m ) 

(z) - E m+ 

l,m+l / 



■ E E n,i 



E 



n,m+l 



Using the fact that p(z,m) = (p(z,m\0) + p(z, m|l))/2, 
and plugging the above two expressions into Eq. 1151 di- 
rectly leads to the expression given in Eq. 1251 
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APPENDIX D: UPPER BOUND ON COLLISION 
PROBABILITY 

We start with equation [23 and use the form of the 
Cauchy inequality which was first proposed by Lutken- 



haus for the bound on the collision probability in BB84 
(see Appendix A of |TI| )• Specifically if ijj(z) = (z\ ip) 
and 4>{z) = (z\ <fi), then the Cauchy inequality tells us 
that 



E 



> 



A 2 m {z) + A 2 m+1 (z) + Bl(z) + B 2 {z) + Cl(z) + C 2 m+1 {z) ~ 2p(m) 



(Dl) 



We expand the product terms in Eq. and apply the 
above bound. Also, we can assume that \A m ) and |C m +i) 
are orthogonal to all other vectors, because this maxi- 
mizes the collision probability without affecting the er- 
ror rate. This leads directly to the expression given in 
Eq.EU 



APPENDIX E: SYMMETRIZATION OF 
COLLISION PROBABILITY 



We have so far shown that the collision probability and 
error rate depend on interference between state vectors 
at times m and m + I. This means that our optimiza- 
tion problem has a symmetry of circular permutation. 
Specifically, if we apply the following transformation, 



chosen. The collision probability can now be written as 



IA, 

|S„ 
\C„ 



|^m+l mod fe) 
|S m _|_i mod fe) 
|Cm+l mod fe) 



we do not affect the error rate or Eve's collision proba- 
bility. Now, let us suppose that an optimal attack exists 
which is given by the state vectors |A m ), |S m ), and \C m ). 
We can form a new set of state vectors |AJ„), \B' m ), and 
\C' rn ) as follows 

\Ka) 

\B' m ) 

IO 



^ k-1 

-J= / ] \A m +j mod k)\j) 
^ fe-1 

— = ^ \ B ni+j mod fc) I j) 
^ fe-1 

~7= ^ \ C m+j modfe)|j) 



= E p 2 ( x \ z > m 'j)p( z ' m >j) 

= ^2pU) ^2 P 2 (x\z,m,j)p(z,m\j) 

j x,z : m 

= ^2pU) P cQ\ 3 



The expression P c o\j is simply the average collision prob- 
ability given the value of the measurement on the states 
However, because the different values of j represent 
different circular permutations and the collision proba- 
bility is invariant under circular permutation, we have 
PcO\j = Pea- Thus, the symmetrized probes \A' m ), \B' m ), 
and \C' m ) have the same collision probability as the un- 
symmetrized ones. It is easy to verify that these sym- 
metrized probes satisfy the property that their inner 
products with each other is independent of m. 



APPENDIX F: OPTIMIZATION OF THE 
COLLISION PROBABILITY 

We define a = (A \ A ) = (Ax\ Ax), b = (B Q \ B ) = 
(Si I Si), and c = (C | C ) = (Ci| Ci). Normalization 
imposes the constraint a + b + c = 1. We define the angles 
<j)i and (j>2 as 

(Si I S ) = focos^i 
(Ax\ Co) = ^faccos(j)2 

Straightforward manipulation of the bound on P c o leads 
to the expression 



S c0 < 1 - ~ [a 2 



(b- 



In the above equations, \j) represent an orthogonal basis 
which keeps track of which circular permutation has been 



(b — a) 2 + 2(6 cos (j>\ — \J~(ac) cos $2) 
We also use the fact that 

(6 cos 0i — yfaccosfa) = (1 — 2e) 2 — Aby/ac cos <j>x cost 
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Using the above expression, it is easy to show that the 
collision probability is maximized and the error rate is 
minimized when cost^i = cos 02 = 1. 
Now we set 

a = (1 — b) cos (9 
c = (1 - 6) sin 6» 

Plugging into the expression for the collision probability, 
it is straightforward to show that the collision probabil- 
ity achieves a maximum when 6 = it /A, and that this 



condition also minimizes the error rate. Thus, the opti- 
mal attack strategy occurs when a = c. This condition 
implies that 

x 

e = 2 

Pco < 1 - \ (x 2 + 2(1 - 3a;) 2 ) 

Substituting the expression for e into P c q directly leads 
to the expression in Eq. l3~4l 
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